CS355: Cryptography Lecture 17, 18, 19: Public- Key Cryptography.RSA. Attacks against RSA. CS355 Lecture 17/ Spring 2007 1 Public Key Cryptography Overview l Proposed in Diffie and Hellman (1976) “New Directions in Cryptography” ß public-key encryption schemes ß public key distribution systems • Diffie-Hellman key agreement protocol ß digital signature l Public-key encryption was proposed in 1970 by James Ellis ß in a classified paper made public in 1997 by the British Governmental Communications Headquarters l Diffie-Hellman key agreement and concept of digital signature are still due to Diffie & Hellman CS355 Lecture 17/ Spring 2007 3 Public Key Encryption l Public-key encryption ß each party has a PAIR (K, K-1) of keys: K is the public key and K-1 is the private key, such that DK-1[EK[M]] = M ß Knowing the public-key and the cipher, it is computationally infeasible to compute the private key ß Public-key crypto systems are thus known to be asymmetric crypto systems ß The public-key K may be made publicly available, e.g., in a publicly available directory ß Many can encrypt, only one can decrypt CS355 Lecture 17/ Spring 2007 4 Public-Key Encryption Needs One-way Trapdoor Functions l Given a public-key crypto system, ß Alice has public key K ß EK must be a one-way function, knowing y= EK[x], it should be difficult to find x ß However, EK must not be one-way from Alice’s perspective. The function EK must have a trapdoor such that knowledge of the trapdoor enables one to invert it CS355 Lecture 17/ Spring 2007 5 Trapdoor One-way Functions Definition: A function f: {0,1}* Æ {0,1}* is a trapdoor one-way function iff f(x) is a one-way function; however, given some extra information it becomes feasible to compute f-1: given y, find x s.t. y = f(x) CS355 Lecture 17/ Spring 2007 6 RSA Algorithm l Invented in 1978 by Ron Rivest, Adi Shamir and Leonard Adleman ß Published as R L Rivest, A Shamir, L Adleman, "On Digital Signatures and Public Key Cryptosystems", Communications of the ACM, vol 21 no 2, pp120- 126, Feb 1978 l Security relies on the difficulty of factoring large composite numbers l Essentially the same algorithm was discovered in 1973 by Clifford Cocks, who works for the British intelligence CS355 Lecture 17/ Spring 2007 7 Zpq* l Let p and q be two large primes l Denote their product n=pq. l Zn*= Zpq* contains all integers in the range [1,pq-1] that are relatively prime to both p and q l The size of Zn* is F(pq) = (p-1)(q-1)=n-(p+q)+1 (p-1)(q-1) l For every x Œ Zpq*, x ≡ 1 mod n CS355 Lecture 17/ Spring 2007 8 Exponentiation in Zpq* l Motivation: We want to use exponentiation for encryption l Let e be an integer, 1<e<(p-1)(q-1) e l When is the function f(x)=x , a one-to-one function in Zpq*? e l If x is one-to-one, then it is a permutation in Zpq*. CS355 Lecture 17/ Spring 2007 9 Exponentiation in Zpq* l Claim: If e is relatively prime to (p-1)(q-1) then e f(x)=x is a one-to-one function in Zpq* l Proof by constructing the inverse function of f. As gcd(e,(p-1)(q-1))=1, then there exists d and k s.t. ed=1+k(p-1)(q-1) e d e d 1+k(p-1)(q-1) l Let y=x , then y =(x ) =x =x (mod pq), i.e., g(y)=yd is the inverse of f(x)=xe. CS355 Lecture 17/ Spring 2007 10 RSA Public Key Crypto System Key generation: Select 2 large prime numbers of about the same size, p and q Compute n = pq, and F(n) = (q-1)(p-1) Select a random integer e, 1 < e < F(n), s.t. gcd(e, F(n)) = 1 Compute d, 1< d< F(n) s.t. ed ≡ 1 mod F(n) Public key: (e, n) Private key: d Note: p and q must remain secret CS355 Lecture 17/ Spring 2007 11 RSA Description (cont.) Encryption Given a message M, 0 < M < n M Œ Zn- {0} use public key (e, n) e compute C = M mod n C Œ Zn- {0} Decryption Given a ciphertext C, use private key (d) Compute Cd mod n = (Me mod n)d mod n = Med mod n = M CS355 Lecture 17/ Spring 2007 12 RSA Example l p = 11, q = 7, n = 77, F(n) = 60 l d = 13, e = 37 (ed = 481; ed mod 60 = 1) e l Let M = 15. Then C ≡ M mod n C ≡ 1537 (mod 77) = 71 d l M ≡ C mod n M ≡ 7113 (mod 77) = 15 CS355 Lecture 17/ Spring 2007 13 Why does RSA work? e d l Need to show that (M ) (mod n) = M, n = pq l We have shown that when MŒZpq*, i.e., gcd(M, n) = 1, then Med ≡ M (mod n) l What if MŒZpq-{0}-Zpq*, e.g., gcd(M, n) = p. ß ed ≡ 1 (mod F(n)), so ed = kF(n) + 1, for some integer k. Med mod p = (M mod p)ed mod p = 0 so Med ≡ M mod p Med mod q = (Mk*F(n) mod q) (M mod q) = M mod q so Med ≡ M mod q As p and q are distinct primes, it follows from the CRT that Med ≡ M mod pq CS355 Lecture 17/ Spring 2007 14 RSA Implementation n, p, q l The security of RSA depends on how large n is, which is often measured in the number of bits for n. Current recommendation is 1024 bits for n. l p and q should have the same bit length, so for 1024 bits RSA, p and q should be about 512 bits. l p-q should not be small CS355 Lecture 17/ Spring 2007 15 RSA Implementation l Select p and q prime numbers l In general, select numbers, then test for primality l Many implementations use the Rabin-Miller test, (probabilistic test) CS355 Lecture 17/ Spring 2007 16 RSA Implementation e l e is usually chosen to be 3 or 216 + 1 = 65537 l In order to speed up the encryption ß the smaller the number of 1 bits, the better ß why? CS355 Lecture 17/ Spring 2007 17 Square and Multiply Algorithm for Exponentiation c l Computing (x) mod n ß Example: suppose that c=53=110101 ß x53=(x13)2·x=(((x3)2)2·x)2)2·x =(((x2·x)2)2·x)2)2·x mod n Alg: Square-and-multiply (x, n, c = ck-1 ck-2 … c1 c0) z=1 for i ¨ k-1 downto 0 { z ¨ z2 mod n if ci = 1 then z ¨ (z * x) mod n } return z CS355 Lecture 17/ Spring 2007 18 RSA Implementation: Decryption l CRT is used in RSA by creating two equations for decryption: The goal is to compute M , from M = Cd mod n M1 = M mod p = Cd mod p M2 = M mod q = Cd mod q Fermat theorem on the exponents M1 ≡ Cd mod (p-1) mod p M2 ≡ Cd mod (q-1) mod q • then the pair of equations M ≡ M1 mod p, M ≡ M2 mod q has a unique solution M. M ≡ M1(q-1 mod p)q + M2(p-1 mod q)p (mod n) CS355 Lecture 17/ Spring 2007 19 Efficiency of computation modulo n l Suppose that n is a k-bit number, and 0£ x,y £ n ß computing (x+y) mod n takes time O(k) ß computing (x-y) mod n takes time O(k) ß computing (xy) mod n takes time O(k2) ß computing (x-1) mod n takes time O(k3) ß computing (x)c mod n takes time O((log c) k2) CS355 Lecture 17/ Spring 2007 20 RSA on Long Messages ß RSA requires that the message M is at most n-1 where n is the size of the modulus. ß What about longer messages? They are broken into blocks. Smaller messages are padded. CBC is used to prevent attacks regarding the blocks. ß NOTE: In practice RSA is used to encrypt symmetric keys, so the message is not very long. CS355 Lecture 17/ Spring 2007 21 Pohlig-Hellman Exponentiation Cipher l A symmetric key exponentiation cipher ß encryption key (e,p), where p is a prime ß decryption key (d,p), where ed≡1 (mod (p-1)) ß to encrypt M, compute Me mod p ß to decrypt C, compute Cd mod p CS355 Lecture 17/ Spring 2007 22 Attacks Against RSA CS355 Lecture 17/ Spring 2007 23 Math-Based Key Recovery Attacks l Three possible approaches: 1. Factor n = pq 2. Determine F(n) 3. Find the private key d directly l All the above are equivalent to factoring n CS355 Lecture 17/ Spring 2007 24 Knowing F(n) Implies Factorization l Knowing both n and F(n), one knows n = pq F(n) = (p-1)(q-1) = pq – p – q + 1 = n – p – n/p + 1 pF(n) = np – p2 – n + p p2 – np + F(n)p – p + n = 0 p2 – (n – F(n) + 1) p + n = 0 l There are two solutions of p in the above equation. l Both p and q are solutions. CS355 Lecture 17/ Spring 2007 25 Factoring Large Numbers l RSA-640 bits, Factored Nov.